Hacker News new | past | comments | ask | show | jobs | submit login
Whoa, Google, That's A Pretty Big Security Hole (techcrunch.com)
260 points by bdb on Nov 20, 2010 | hide | past | web | favorite | 33 comments

I've been tracking security holes that leak your identity for a while.

Via a bug in Firefox's Error object: http://33bits.org/2010/06/01/yet-another-identity-stealing-b...

Via a bug in Google spreadsheets: http://33bits.org/2010/02/22/google-docs-leaks-identity/ (I found this one :-)

Via history stealing: http://33bits.org/2010/02/18/cookies-supercookies-and-uberco...

More sophisticated, but hypothetical version of previous: http://33bits.org/2010/02/19/ubercookies-history-stealing-so...

XSS bugs and other problems with Instant personalization partner sites: http://33bits.org/2010/09/28/instant-personalization-privacy...

I've also been predicting that this will eventually become the new normal -- both because the bugs are coming too fast to fix (and exploits in the wild will become more common) and because Facebook is pushing to change people's expectations with Instant Personalization.

The other day I attended a talk about one-click frauds. I realized that that's the perfect black-hat use-case for this class of attacks (although current 1-click fraudsters are apparently rather low tech). Stay tuned.

Bugs that allow remote attackers to take over your computer when you hit an evil web page are also coming almost too fast to fix. They aren't the new normal, so I see no reason to back down on these kinds of problems either.

(You don't hear about most of these bugs, because the people who find them don't usually publish before the patch hits, but ask anyone who's reported a bunch of browser bugs how long they waited for fixes.)

That's a very good point. Sorry if I was unclear earlier -- I don't think we should give up on trying to find/fix these bugs. I was thinking more along the lines of (1) improving user education (2) improving private browsing mode to deal with these attacks even at the expense of compromising some functionality. Mozilla has already been thinking along these lines: https://wiki.mozilla.org/Security/Anonymous_Browsing#Anonymo...

As for whether it will become the new normal, that remains to be seen, but I think there are a couple of differences compared to regular privilege-escalation exploits: (1) everyone agrees that taking over your computer is malicious, whereas the perception of identity leaks is malleable (2) identity leaks are harder to deal with: even after the relevant bug is fixed, the attacker still has the mapping of your identity to your IP/browser fingerprint.

But thanks for the comparison and I will keep an open mind about this :-)

Nice compilation. It is good that Google has taken this seriously and are working to fix it quickly. We will probably see a few more like this as things like Google, Facebook Connect, Twitter become federated Identity Providers to many sites on the net.

I must say though personally if it is only harvesting my email address I don't really have a major issue with it, I use my email address everywhere and signup for lots of services, Gmail is very good at spam filtering and with unsubscribe.com and prioritized inbox I don't have a problem maintaining a zero inbox. Doesn't mean it is not a bug that they shouldn't fix, I'm just saying that perhaps the impact is not as large as the votes that got this to the frontpage of Hacker news implies.

Didn't something similar happen with Wattvision when they launched? It was a bug in GAE authentication-the site didn't even intend to do that.

Yes. They fixed the bug within a few hours, and yes, it was not our intention.

The non automatic version of this (with a appspot domain, not considered a bug, the guy logged in) has been used to discover the true identity of a guy who claimed to reveal insider info on Twitter about the French Socialist party (left - Partie Socialiste), he is a member of the opposite party UMP (right).


I found this[1] when playing with the Google Code Play Ground. Not really a vulnerability, but: i. it is on the appspot domain ii. I can do ANYTHING I want; make a site, force redirection iii. That's all I have

*They were notified a while back.

How they can fix it? i. Check ip of sender and receiver ii. Use htmlfill or append a new script instead.

[1] http://www.christopherwoodall.com/blog/?x=entry:entry100814-...

Isn't google giving away money for documented security breaches?

Its funny that Google says "We encourage responsible disclosure of potential application security issues to security@google.com" yet they didn't reply back to this hacker who exploited the hole.

And you know for sure that he contacted them that way?

I just don't feel safe with Facebook connect. Seems like someone can get information from that as well. Don't like the whole logged in while on Facebook, to the whole internet.

One way to mitigate most of these holes is to separate email from web browsing. Some people actually use two different computers or browsers, but I just make sure to log out (not just close the tab with) my email before I browse any other sites. Even sites I trust (because they could have been hit by XSS or something).

It's clear this issue will be resolved shortly by Google (the site's already dead).

I just hope that, once fixed, the exploit is released for inspection.

It's not like it was a Google site (gmail, gCal, or whatever) they took down. Google took down his personal blog, which seems really sketchy. Fixing the problem involves more than just taking down the site they says there is a problem.

Posting an active exploit to their hosting service is a pretty massive violation of the blogger ToS, though...

Why is it clear?

They've already taken down the shortened link and blog, so they're definitely working on it. It's a major enough issue that they'll definitely work on it until it's fixed. Plus it seems quite likely that it's a random little exploit in blogspot, and I strongly suspect it's the kind of exploit that's impressive while a secret, and turns out to be some stupidly basic trick with a really easy fix.

See they are just covering their asses at this point. Besides, bugs are not random nor can one casually observe them to be little until more is known.

Might be a huge problem that takes them weeks to solve.

From what I've seen, the majority of privacy issues like this tend to be an exploitation of a feature, i.e. finding a way to use something that it wasn't meant to be used for. As such, fixing the feature (and/or disabling) resolves it.

Sure, it could turn out I'm wrong, but I think the odds are in my favour.

One thing I know for sure, finding security bugs is never an easy task, nobody gives you anything for free on this world. So when I see people who are thinking like you minimizing it I'm saying to myself people should start thinking twice before releasing their findings for free because nobody gonna acknowledge your work anyway.

First, I haven't said that it was easy to find the bug. Second, I said I hope it's released after it's already fixed, so your "for free" point is pretty irrelevant.

Stuff like this is why I use an IMAP client instead of webmail.

I still use webmail, but I use a Fluid.app (or Prism) wrapped version of Gmail so the authentication info doesn't get shared with my main browser (Chrome).

This is a handy, albeit unintentional, benefit of using an Desktop app-ified web site.

Cool. I didn't know there was anything like Fluid.app. I'll give it a try.

i also think of it as feature. or near to it. hate signing up for sites as a user and as a developer hate that chicken egg issue with users who hate to sign up. i visit the site i click send me password and site looks me up sends me new password or remainder and i log in by just typing password. this as an example.

My head hurts slightly from trying to parse your comment. I realize English probably isn't your first language, but I think you should try and rephrase it if you want to be understood.

translation: user privacy is a barrier for him as a developer, just like english.

More concisely, he/she wants to be able to discover a user's email address when they visit a site, so that the user just has to click a "create an account, and email me my password" button. (i.e. removing barriers to user sign-up to his/her site) This obviously conflicts with the idea that a user should be able to keep that information private.

If I was google, I would probably offer him a job...

Why has not a single person mentioned that TC is just wrong? The problem is not that it gets your email address... it looks like it's likely that the website isn't even getting the gmail address.

It's much worse. The blog author is able to send emails through an API that appear to be from "noreply@gmail.com" with the proper headers. So instead of getting a funny little email, you get a phising email that even gmail isn't smart enough to block.

But, I mean, sure, let's act scared that some website can get my gmail. You want it? I'd be happy to give it to anyone, spam or otherwise.


Update 4: Google says the issue is now resolved: “We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to security@google.com.”

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact